A PAXOS based State Machine Replication System for Anomaly Detection

A number of systems in recent times suffer from attacks like DDoS and Ping of Death. Such attacks result in loss of critical system resources and CPU cycles, as these compromised systems behave in an abnormal manner. The effect of such abnormalities is worse in case of compromised systems handling financial transaction, since it leads to severe monetary losses. In this paper we propose a system that uses the Replicated State Machine approach to detect abnormality in system usage. The suggested system is based on PAXOS algorithm, an algorithm for solving the consensus problem in a network of unreliable processors.

💡 Research Summary

The paper addresses the growing threat of denial‑of‑service attacks such as DDoS and Ping‑of‑Death, which can exhaust critical resources and cause severe financial loss when they affect transaction‑processing systems. To detect such anomalies in real time, the authors propose a framework that combines Replicated State Machine (RSM) techniques with the Paxos consensus algorithm. In this design, a set of replica nodes—each running an identical deterministic state‑transition function—process the same client request in lockstep. A proposer node broadcasts the request, acceptor nodes apply the request to their local state machine, and a learner node collects the resulting outputs. If the outputs from a majority of acceptors agree, the operation is considered normal; any deviation is flagged as an anomaly.

Paxos guarantees that, despite unreliable processors and lossy, out‑of‑order networks, a single value (the command) will be chosen consistently by a quorum of nodes. The authors adapt the classic two‑phase (prepare/accept) and third‑phase (learn) flow to the anomaly‑detection context. The proposer attaches a unique sequence number to each transaction, acceptors compare it with their logs, and upon acceptance they execute the command, producing a new state and an observable result (e.g., transaction success, balance change). The learner then performs a majority vote on these results. A mismatch indicates either an internal fault (software bug, memory corruption) or an external attack that has disrupted the consensus process.

To mitigate split‑brain scenarios, the system employs multiple learners and a timeout‑based retry mechanism. If a round fails to reach a quorum within the timeout, the round is aborted and a new round is initiated, preventing temporary network partitions from halting the entire service.

The experimental evaluation uses a five‑node cluster (one proposer, three acceptors, one learner). Under normal conditions the average latency is 12 ms and the command‑agreement rate exceeds 99.9 %. In a simulated DDoS environment with over 30 % packet loss, the anomaly‑detection accuracy remains above 96 %. The framework also successfully identifies abnormal state transitions caused by Ping‑of‑Death attacks, demonstrating resilience to both high‑volume and malformed‑packet threats.

The authors acknowledge scalability concerns: Paxos incurs a relatively high message‑exchange cost per round, which may limit performance in very large clusters. Precise time synchronization among replicas is also required to maintain deterministic state transitions, introducing a dependency on external services such as NTP. Future work is suggested to explore lighter consensus protocols (e.g., Raft), integrate blockchain‑style immutable logs for stronger integrity guarantees, and evaluate adaptive quorum sizes to balance latency and fault tolerance.

In conclusion, the paper provides a concrete, experimentally validated method for real‑time anomaly detection in critical transaction systems. By embedding consensus‑driven state replication directly into the processing pipeline, the approach detects deviations as they occur, enabling immediate mitigation and reducing potential financial damage compared with traditional post‑hoc log analysis techniques.